SlideShare a Scribd company logo

When Crypto Attacks! (Yahoo 2009)

Nate Lawson
Nate Lawson

In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.

EducationTechnology
1 of 26
Download to read offline
When Crypto Attacks! Nate Lawson June 9, 2009 Yahoo! Security Week
My background • Root Labs founder – Design and analyze security products – Focused on: • Embedded and kernel security • Software protection, DRM • Crypto and protocols • Cryptography Research – Reviewed numerous products for flaws – Co-designed Blu-ray disc content protection layer • Infogard Labs – Review crypto products for the FIPS 140 program • IBM/ISS – Original developer of RealSecure IDS 2
We all use AES-CBC • Crypto is deceptively simple and attractive – Block ciphers, public key, etc. make sense conceptually – Books like Applied Cryptography make it accessible – Proofs of security, brute-force strength claims are appealing • Of course, no one implements their own ciphers – Most got the message that custom ciphers are bad – Many low-level crypto libraries to choose from • Java crypto API, BouncyCastle • Microsoft CryptoAPI, .NET Cryptography • OpenSSL, Crypto++ • Only remaining decision is 256 vs. 128 bit keys? 3
If you’re typing “A.E.S.”, you’re doing it wrong • Crypto is extremely fragile – Review is 2x the development cost • If you design it, you don’t get to review it also – Can’t be secured by testing – When it fails, you get to change out root private keys CRYPTO FAIL! 4
How to avoid implementing crypto • What to do instead – Use SSL for transport – Use GPG for protecting data at rest (GPGME lib) • If your design doesn’t seem to fit that model, rework it until it does • If you can’t, use a high-level library – GPGME (LGPL) – Keyczar (Apache) – Gutmann cryptolib (commercial) • Don’t use low-level libraries directly – OpenSSL, Crypto++ – Java crypto, BouncyCastle – .NET System.Security.Cryptography 5
Warning signs: bad crypto ahead • Obvious confusion – Using a MAC to “sign” data – “Decrypting” a signature to verify it – Multiple names/terms for the same field/operation – Overly focused on salts as a key security feature – The words “rainbow tables” • Arguments why non-standard usage is ok, based on… – Key size – Lack of attacker knowledge – A blog post 6
Warning signs: bad crypto ahead • Encrypting multiple blocks with RSA • Insistence that the IV must be kept secret • Spec diagrams from Wikipedia http://en.wikipedia.org/wiki/HMAC 7
How to fix Javascript crypto • Don’t do it; it makes no sense – Where did the browser get the code from? • The webserver – Over? • SSL (we hope) – And the keys that the Javascript uses? • Um, the same webserver • You have SSL on the client and server, use it – Anything you roll yourself is going to be worse – Remove the words “Javascript crypto” from your vocabulary (ahem, Meebo) 8
“Maybe they want to sign something, without having to upload it to the server, say. Or maybe they just don't want to burden the server with tons of crypto. There's lots of good reasons to do crypto without reinventing SSL.“ -- Dave Aitel on Javascript crypto 9
Upgrading encryption on-the-fly • Fixing an old, broken cookie scheme – Old: CBC-encrypted cookie but no integrity protection – New: + HMAC protection of encrypted cookie • Bright idea: “We’ll upgrade user cookies!” – Decrypt the data, check length of result – Detect old cookie based on version field – Set new version, encrypt with new key, add HMAC – Return it to the user 10
Bad PRNG or no seeding • Default “random” PRNGs not a good choice – Cryptographic generator has different requirements • Constantly re-seeded with new entropy • Impossible to guess or even perturb internal state – Don’t use: • Python random (use random.SystemRandom) • java.util.Random (use java.security.SecureRandom) • .NET System.Random (use System.Security.Cryptography. RandomNumberGenerator) • Cold boot case – Server just rebooted and you’re already getting requests • Is there enough entropy? • Are you replaying IVs, challenge values, etc.? – Wait, who in your company is responsible for this? 11
DSA fails if random value known • If the random challenge value k is known, it reveals your entire private key • DSA signature (r, s) is: r = gk mod p mod q s = k-1 (H(m) + x*r) mod q • If you know k, you can calculate x as follows: x = ((s * k) – H(m)) * r-1 mod q • Remember that Debian PRNG bug? – Every DSA key used on a vulnerable system for a single signature is forever compromised • Surprise! – Knowledge of only a few bits of k and multiple signatures is sufficient – Hidden number problem (Boneh, others) 12
Block cipher modes of operation • If you know ECB from CBC, give yourself a hand • Now the following – OFB, CFB, CTR • Stream cipher constructions • Bitwise malleability • Fatal if counter or output reused – CCM, EAX, GCM, OCB • Authenticated encryption • Provide integrity protection + encryption • Fatal if IV reused • Decipher this one – “TDEA Electronic Code Book (TECB) Mode” – Seen in: docs for USB flash key 13
Counter duplication in CTR mode • You painstakingly made sure to not duplicate the counter on the client – Using a counter and saving its state in a variable – You even persisted it to disk in case of a reboot • Or force a renegotiation if you have that option • What about the server? – If using a shared key, you have keystream reuse if the server’s counter overlaps the client's 14
Integrity protection with only a hash • Goal: prevent modification of a cookie • Solution – Send SHA1(key || data) – User can’t create the checksum because they don’t know the secret, right? • Length extension attack – See SHA1 init and final operations below: • Use HMAC instead Initialize variables: – Other ad-hoc constructions h0 = 0x67452301 also vulnerable h1 = 0xEFCDAB89 h2 = 0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0 … Produce the final hash value: return (h0 || h1 || h2 || h3 || h4) 15
Padding error oracle with CBC encryption • Plaintext is HMACed, padded to block size, CBC- encrypted – Example for AES, message length 14 bytes • Block = p[0], … p[13], 0x01, 0x01 • Server returns two different errors – Padding_Incorrect: pad byte was wrong value for specified total length – Integrity_Failure: padding valid but message modified • Now you can decrypt bytes – Set a block with different guesses for last byte – If correct guess, you’ll get Integrity_Failure error – Repeat for other bytes • Seen in: OpenSSL (Bodo Moeller) 16
Lack of structure in signed data • You have to know exactly what you’re signing! – Think of signed data as a command, typed into a global root shell, on every cluster in your company • Amazon Web Services v1 – Allowed the client to sign a URL 1. Split the query string using '&' and '=' delimeters 2. Concatenate all the key/value pairs into a single string (key1 || value1 || key2 || value2) 3. Protect it with HMAC-SHA1(key, data) • No structure in data means the following are equivalent – …?GoodKey1=GoodValue1BadKey2BadValue2 – …?GoodKey1=GoodValue1&BadKey2=BadValue2 • Seen in: many SSO (single sign-on) designs 17
Padding is not something to ignore • PKCS#1 pads messages to be signed as follows – SigData = 00 01 FF … FF 00 <SHA1-OID> <SHA1-HASH> – Then, signature is RSA-Exp(PrivKey, SigData) • Signature verification seems simple – Process the sig with RSA-Exp(PubKey, SigData) – Find the hash and compare to the hash of the message • Now attacker can create forgeries – For 2048 bit key and 160-bit SHA hash, there are 21888 inputs that will match – With small public key, straightforward algebra to calculate a colliding signature • Every bit of padding data must be strictly checked • Seen in: OpenSSL (+Opera, Konqueror), Firefox, Nintendo Wii 18
Bare (no hash) signatures • Just use RSA directly, why hash first? – Remember warning about lack of structure? • Attack – Choose some small primes – Multiply them together to form your message – Get it signed – Now forge messages composed of any combination of those primes • Fun fact: same property that allows blinding • Seen in: embedded microcontroller 19
“Encrypting” with RSA private key • Example – Device has an RSA public key to verify signature on firmware updates – Idea: keep the public key secret and use it to decrypt the updates also • RSA is incompatible with block cipher thinking – You can’t “encrypt” with a private key and keep the public key secret – An attacker can always figure out the public key (e, n) from observing two signatures for e in [3, 5, 7, … 65537]: n ~= GCD(sig1e – m1, sig2e – m2) if m1e mod n == sig1: break 20
Comparing hash string mistakes • Verifying an RSA signature – RSA-Exp(PubKey, SigData) – Verify all the padding data as you should – return (0 == strncmp(userHash, myHash, 20)); • Attack – Create 256 messages, each slightly different – Once SHA-1(message) == {00, …}, you win! • Seen in: Wii (tmbinc) 21
SRP parameter validation • SRP gives secure password-based key agreement • Seems easy, right? • Like all public-key crypto, very sensitive to choice of values 22
SRP parameter validation bug • What if client sends A=0? • Hmm, server does (A * foobar)baz = 0 – And there are other bad parameters with similar results • Seen in: samhain host integrity tool (Ptacek) 23
I probably ran out of time here • DH small subgroup confinement attack (Tor, IKE) – Sending magic values lets you choose the server’s key (similar to SRP attack) • Encrypting a CRC for an integrity check (SSH v1) • Fault injection during RSA signing (Pay TV smart card glitching) • Timing and other side channel attacks – Guessing correct HMAC by time-to-reject (Keyczar, Xbox360) – Instruction/data and branch predictor cache leaks (everyone) 24
Conclusion • Crypto is brittle (easy to mess up) – And when it fails, the results are spectacular • So don’t build your own crypto – Use SSL for transport – Use GPG for protecting data at rest (GPGME lib) • If your design doesn’t seem to fit that model, rework it until it does • If you can’t, use a high-level library – Keyczar or cryptolib • Always get a third-party review of any crypto code – If you had to design your own (i.e., directly using a low- level library), much more extensive review required 25
Contact info For more detailed articles on these topics, please see my blog linked at: http://rootlabs.com Questions? Nate Lawson nate@rootlabs.com 26

Recommended

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 

Recommended

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat Security Conference
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itE Hacking
 
Content Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX PlusContent Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX PlusKevin Jones
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакPositive Hack Days
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXKevin Jones
 
Ntlm Unsafe
Ntlm UnsafeNtlm Unsafe
Ntlm UnsafeGuang Ying Yuan
 
WordPress Performance Tuning
WordPress Performance TuningWordPress Performance Tuning
WordPress Performance TuningJavier Arturo Rodríguez
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminskyDan Kaminsky
 
Web acceleration mechanics
Web acceleration mechanicsWeb acceleration mechanics
Web acceleration mechanicsAlexander Krizhanovsky
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101ConFoo
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden TicketGiuseppe Trotta
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyLeif Hedstrom
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)Nate Lawson
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
 

More Related Content

What's hot

BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat Security Conference
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itE Hacking
 
Content Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX PlusContent Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX PlusKevin Jones
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакPositive Hack Days
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXKevin Jones
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminskyDan Kaminsky
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101ConFoo
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyLeif Hedstrom
 

What's hot (20)

BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
 
Content Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX PlusContent Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX Plus
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 
Ntlm Unsafe
Ntlm UnsafeNtlm Unsafe
Ntlm Unsafe
 
WordPress Performance Tuning
WordPress Performance TuningWordPress Performance Tuning
WordPress Performance Tuning
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
 
Web acceleration mechanics
Web acceleration mechanicsWeb acceleration mechanics
Web acceleration mechanics
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a Proxy
 

Viewers also liked

ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)Nate Lawson
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform SecurityNate Lawson
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)Nate Lawson
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Nate Lawson
 
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Nate Lawson
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS OptimizationNate Lawson
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 

Viewers also liked (11)

ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform Security
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
 
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 

Similar to When Crypto Attacks! (Yahoo 2009)

Scaling Rails with memcached
Scaling Rails with memcachedScaling Rails with memcached
Scaling Rails with memcachedelliando dias
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Appsadunne
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1csharney
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits Raleigh ISSA
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-MiddleTom Eston
 
From One to a Cluster
From One to a ClusterFrom One to a Cluster
From One to a Clusterguestd34230
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Make Your Life Easier With Maatkit
Make Your Life Easier With MaatkitMake Your Life Easier With Maatkit
Make Your Life Easier With MaatkitMySQLConference
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
Messaging With ActiveMQ
Messaging With ActiveMQMessaging With ActiveMQ
Messaging With ActiveMQBruce Snyder
 

Similar to When Crypto Attacks! (Yahoo 2009) (20)

Scaling Rails with memcached
Scaling Rails with memcachedScaling Rails with memcached
Scaling Rails with memcached
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Apps
 
Drizzle Talk
Drizzle TalkDrizzle Talk
Drizzle Talk
 
All The Little Pieces
All The Little PiecesAll The Little Pieces
All The Little Pieces
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits
 
Cryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesCryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use Cases
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Couch Db
Couch DbCouch Db
Couch Db
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
 
From One to a Cluster
From One to a ClusterFrom One to a Cluster
From One to a Cluster
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Make Your Life Easier With Maatkit
Make Your Life Easier With MaatkitMake Your Life Easier With Maatkit
Make Your Life Easier With Maatkit
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
 
Messaging With ActiveMQ
Messaging With ActiveMQMessaging With ActiveMQ
Messaging With ActiveMQ
 

Recently uploaded

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 

Recently uploaded (20)

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 

When Crypto Attacks! (Yahoo 2009)

  • 1. When Crypto Attacks! Nate Lawson June 9, 2009 Yahoo! Security Week
  • 2. My background • Root Labs founder – Design and analyze security products – Focused on: • Embedded and kernel security • Software protection, DRM • Crypto and protocols • Cryptography Research – Reviewed numerous products for flaws – Co-designed Blu-ray disc content protection layer • Infogard Labs – Review crypto products for the FIPS 140 program • IBM/ISS – Original developer of RealSecure IDS 2
  • 3. We all use AES-CBC • Crypto is deceptively simple and attractive – Block ciphers, public key, etc. make sense conceptually – Books like Applied Cryptography make it accessible – Proofs of security, brute-force strength claims are appealing • Of course, no one implements their own ciphers – Most got the message that custom ciphers are bad – Many low-level crypto libraries to choose from • Java crypto API, BouncyCastle • Microsoft CryptoAPI, .NET Cryptography • OpenSSL, Crypto++ • Only remaining decision is 256 vs. 128 bit keys? 3
  • 4. If you’re typing “A.E.S.”, you’re doing it wrong • Crypto is extremely fragile – Review is 2x the development cost • If you design it, you don’t get to review it also – Can’t be secured by testing – When it fails, you get to change out root private keys CRYPTO FAIL! 4
  • 5. How to avoid implementing crypto • What to do instead – Use SSL for transport – Use GPG for protecting data at rest (GPGME lib) • If your design doesn’t seem to fit that model, rework it until it does • If you can’t, use a high-level library – GPGME (LGPL) – Keyczar (Apache) – Gutmann cryptolib (commercial) • Don’t use low-level libraries directly – OpenSSL, Crypto++ – Java crypto, BouncyCastle – .NET System.Security.Cryptography 5
  • 6. Warning signs: bad crypto ahead • Obvious confusion – Using a MAC to “sign” data – “Decrypting” a signature to verify it – Multiple names/terms for the same field/operation – Overly focused on salts as a key security feature – The words “rainbow tables” • Arguments why non-standard usage is ok, based on… – Key size – Lack of attacker knowledge – A blog post 6
  • 7. Warning signs: bad crypto ahead • Encrypting multiple blocks with RSA • Insistence that the IV must be kept secret • Spec diagrams from Wikipedia http://en.wikipedia.org/wiki/HMAC 7
  • 8. How to fix Javascript crypto • Don’t do it; it makes no sense – Where did the browser get the code from? • The webserver – Over? • SSL (we hope) – And the keys that the Javascript uses? • Um, the same webserver • You have SSL on the client and server, use it – Anything you roll yourself is going to be worse – Remove the words “Javascript crypto” from your vocabulary (ahem, Meebo) 8
  • 9. “Maybe they want to sign something, without having to upload it to the server, say. Or maybe they just don't want to burden the server with tons of crypto. There's lots of good reasons to do crypto without reinventing SSL.“ -- Dave Aitel on Javascript crypto 9
  • 10. Upgrading encryption on-the-fly • Fixing an old, broken cookie scheme – Old: CBC-encrypted cookie but no integrity protection – New: + HMAC protection of encrypted cookie • Bright idea: “We’ll upgrade user cookies!” – Decrypt the data, check length of result – Detect old cookie based on version field – Set new version, encrypt with new key, add HMAC – Return it to the user 10
  • 11. Bad PRNG or no seeding • Default “random” PRNGs not a good choice – Cryptographic generator has different requirements • Constantly re-seeded with new entropy • Impossible to guess or even perturb internal state – Don’t use: • Python random (use random.SystemRandom) • java.util.Random (use java.security.SecureRandom) • .NET System.Random (use System.Security.Cryptography. RandomNumberGenerator) • Cold boot case – Server just rebooted and you’re already getting requests • Is there enough entropy? • Are you replaying IVs, challenge values, etc.? – Wait, who in your company is responsible for this? 11
  • 12. DSA fails if random value known • If the random challenge value k is known, it reveals your entire private key • DSA signature (r, s) is: r = gk mod p mod q s = k-1 (H(m) + x*r) mod q • If you know k, you can calculate x as follows: x = ((s * k) – H(m)) * r-1 mod q • Remember that Debian PRNG bug? – Every DSA key used on a vulnerable system for a single signature is forever compromised • Surprise! – Knowledge of only a few bits of k and multiple signatures is sufficient – Hidden number problem (Boneh, others) 12
  • 13. Block cipher modes of operation • If you know ECB from CBC, give yourself a hand • Now the following – OFB, CFB, CTR • Stream cipher constructions • Bitwise malleability • Fatal if counter or output reused – CCM, EAX, GCM, OCB • Authenticated encryption • Provide integrity protection + encryption • Fatal if IV reused • Decipher this one – “TDEA Electronic Code Book (TECB) Mode” – Seen in: docs for USB flash key 13
  • 14. Counter duplication in CTR mode • You painstakingly made sure to not duplicate the counter on the client – Using a counter and saving its state in a variable – You even persisted it to disk in case of a reboot • Or force a renegotiation if you have that option • What about the server? – If using a shared key, you have keystream reuse if the server’s counter overlaps the client's 14
  • 15. Integrity protection with only a hash • Goal: prevent modification of a cookie • Solution – Send SHA1(key || data) – User can’t create the checksum because they don’t know the secret, right? • Length extension attack – See SHA1 init and final operations below: • Use HMAC instead Initialize variables: – Other ad-hoc constructions h0 = 0x67452301 also vulnerable h1 = 0xEFCDAB89 h2 = 0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0 … Produce the final hash value: return (h0 || h1 || h2 || h3 || h4) 15
  • 16. Padding error oracle with CBC encryption • Plaintext is HMACed, padded to block size, CBC- encrypted – Example for AES, message length 14 bytes • Block = p[0], … p[13], 0x01, 0x01 • Server returns two different errors – Padding_Incorrect: pad byte was wrong value for specified total length – Integrity_Failure: padding valid but message modified • Now you can decrypt bytes – Set a block with different guesses for last byte – If correct guess, you’ll get Integrity_Failure error – Repeat for other bytes • Seen in: OpenSSL (Bodo Moeller) 16
  • 17. Lack of structure in signed data • You have to know exactly what you’re signing! – Think of signed data as a command, typed into a global root shell, on every cluster in your company • Amazon Web Services v1 – Allowed the client to sign a URL 1. Split the query string using '&' and '=' delimeters 2. Concatenate all the key/value pairs into a single string (key1 || value1 || key2 || value2) 3. Protect it with HMAC-SHA1(key, data) • No structure in data means the following are equivalent – …?GoodKey1=GoodValue1BadKey2BadValue2 – …?GoodKey1=GoodValue1&BadKey2=BadValue2 • Seen in: many SSO (single sign-on) designs 17
  • 18. Padding is not something to ignore • PKCS#1 pads messages to be signed as follows – SigData = 00 01 FF … FF 00 <SHA1-OID> <SHA1-HASH> – Then, signature is RSA-Exp(PrivKey, SigData) • Signature verification seems simple – Process the sig with RSA-Exp(PubKey, SigData) – Find the hash and compare to the hash of the message • Now attacker can create forgeries – For 2048 bit key and 160-bit SHA hash, there are 21888 inputs that will match – With small public key, straightforward algebra to calculate a colliding signature • Every bit of padding data must be strictly checked • Seen in: OpenSSL (+Opera, Konqueror), Firefox, Nintendo Wii 18
  • 19. Bare (no hash) signatures • Just use RSA directly, why hash first? – Remember warning about lack of structure? • Attack – Choose some small primes – Multiply them together to form your message – Get it signed – Now forge messages composed of any combination of those primes • Fun fact: same property that allows blinding • Seen in: embedded microcontroller 19
  • 20. “Encrypting” with RSA private key • Example – Device has an RSA public key to verify signature on firmware updates – Idea: keep the public key secret and use it to decrypt the updates also • RSA is incompatible with block cipher thinking – You can’t “encrypt” with a private key and keep the public key secret – An attacker can always figure out the public key (e, n) from observing two signatures for e in [3, 5, 7, … 65537]: n ~= GCD(sig1e – m1, sig2e – m2) if m1e mod n == sig1: break 20
  • 21. Comparing hash string mistakes • Verifying an RSA signature – RSA-Exp(PubKey, SigData) – Verify all the padding data as you should – return (0 == strncmp(userHash, myHash, 20)); • Attack – Create 256 messages, each slightly different – Once SHA-1(message) == {00, …}, you win! • Seen in: Wii (tmbinc) 21
  • 22. SRP parameter validation • SRP gives secure password-based key agreement • Seems easy, right? • Like all public-key crypto, very sensitive to choice of values 22
  • 23. SRP parameter validation bug • What if client sends A=0? • Hmm, server does (A * foobar)baz = 0 – And there are other bad parameters with similar results • Seen in: samhain host integrity tool (Ptacek) 23
  • 24. I probably ran out of time here • DH small subgroup confinement attack (Tor, IKE) – Sending magic values lets you choose the server’s key (similar to SRP attack) • Encrypting a CRC for an integrity check (SSH v1) • Fault injection during RSA signing (Pay TV smart card glitching) • Timing and other side channel attacks – Guessing correct HMAC by time-to-reject (Keyczar, Xbox360) – Instruction/data and branch predictor cache leaks (everyone) 24
  • 25. Conclusion • Crypto is brittle (easy to mess up) – And when it fails, the results are spectacular • So don’t build your own crypto – Use SSL for transport – Use GPG for protecting data at rest (GPGME lib) • If your design doesn’t seem to fit that model, rework it until it does • If you can’t, use a high-level library – Keyczar or cryptolib • Always get a third-party review of any crypto code – If you had to design your own (i.e., directly using a low- level library), much more extensive review required 25
  • 26. Contact info For more detailed articles on these topics, please see my blog linked at: http://rootlabs.com Questions? Nate Lawson nate@rootlabs.com 26